Authentication
How to authenticate with the Pendium MCP server and REST API.
Pendium supports two authentication methods: OAuth (for all MCP connections — Claude.ai, ChatGPT, coding agents, and any MCP client) and API keys (for the REST API and custom integrations).
OAuth (all MCP connections)
All MCP connections use OAuth 2.1 with PKCE. When you add Pendium's MCP server to any client, the platform handles authentication automatically — you sign in with your Pendium account and the platform receives a token.
No API key is needed for MCP. The client registers itself, redirects you to sign in, and exchanges an authorization code for an access token — all behind the scenes.
Supported platforms:
- Claude.ai (web and desktop app)
- ChatGPT
- Claude Code
- Cursor
- Windsurf
- Any MCP-compatible client
See the quick start for setup instructions.
OAuth endpoints (for reference — platforms discover these automatically):
| Endpoint | URL |
|---|---|
| Protected Resource Metadata | https://pendium.ai/.well-known/oauth-protected-resource |
| Authorization Server Metadata | https://pendium.ai/.well-known/oauth-authorization-server |
| Dynamic Client Registration | https://pendium.ai/register |
| Authorization | https://pendium.ai/authorize |
| Token Exchange | https://pendium.ai/token |
API keys (REST API only)
For custom integrations, scripts, and no-code tools that use the REST API directly, authenticate with an API key.
Generate an API key from your Pendium dashboard. Log in, click your avatar in the sidebar, then API Keys. Or visit pendium.ai/mcp and click Get API Key.
Passing your API key
Include your API key in the x-api-key request header:
See the REST API docs for endpoint details and examples.
How auth works
- MCP connections: The server extracts the OAuth access token from the
Authorization: Bearerheader. The token is validated against Pendium's database, resolving to a user account. - REST API: The server extracts the API key from the
x-api-keyheader. The key is validated by hash lookup, resolving to a user account. - For tools that operate on a specific brand agent (identified by
syntheticId), an ownership check verifies the authenticated user has access to that agent. - Admin users can access any agent.
Error responses
When authentication fails, the server returns a 401 with a descriptive error:
| Scenario | Error message |
|---|---|
| No token provided | Authentication required. Connect via OAuth. |
| Invalid or expired token | Invalid or expired OAuth token. Re-authenticate via OAuth. |
| No access to agent | Agent with syntheticId=X not found or you don't have access. Use the get_account tool to see your agents. |
For MCP clients, a 401 response includes a WWW-Authenticate header that triggers the platform to re-authenticate automatically.
Agent access model
Each OAuth token or API key is tied to a Pendium user account. That user owns one or more brand agents (identified by syntheticId). Tools that require a syntheticId parameter will verify that the authenticated user owns that agent before executing.
Use the get_account tool to list all agents accessible to your account, along with their syntheticId values and latest scores.